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1. Introduction 


1.1. 


1.2. 


1.3. 


1.4. 


Background. In 2002, Congress passed the Help America Vote Act of 2002 (HAVA). 
HAVA created the U.S. Election Assistance Commission (EAC) and assigned to the EAC 
the responsibility for both setting voting system standards and providing for the 
voluntary testing and certification of voting systems. This mandate represented the first 
time that the Federal government provided for the voluntary testing, certification, and 
decertification of voting systems nationwide. In response to this HAVA requirement, the 
EAC has developed the voting system standards in the form of the Voluntary Voting 
System Guidelines (VVSG), a voting system certification program in the form of the 
Voting System Testing and Certification Program Manual and this document, the Voting 
System Test Laboratory Program Manual. 


Authority. HAVA Section 231(b) (42 U.S.C. §15371(b)) requires that the EAC provide for 
the accreditation and revocation of accreditation of independent, non-federal laboratories 
qualified to test voting systems to Federal standards. Generally, the EAC considers for 
accreditation those laboratories evaluated and recommend by the National Institute of 
Standards and Technology (NIST) pursuant to HAVA Section 231(b)(1). However, 
consistent with HAVA Section 231(b)(2)(B), the Commission may also vote to accredit 
laboratories outside of those recommended by NIST upon publication of an explanation 
of the reason for any such accreditation. 


Role of the National Institute of Standards and Technology. Section 231(b) (1) of 
HAVA requires that the National Institute of Standards and Technology “conduct an 
evaluation of independent, non-federal laboratories and shall submit to the Commission 
a list of those laboratories...to be accredited....” Additionally, HAVA Section 231(c) 
requires NIST to monitor and review the performance of EAC accredited laboratories. 
NIST has chosen its National Voluntary Laboratory Accreditation Program (NVLAP) to 
carry out these duties. 


NVLAP conducts a review of applicant laboratories in order to provide a measure of 
confidence that such laboratories are capable of performing testing of voting systems to 
Federal standards. Additionally, the NVLAP program monitors laboratories by requiring 
regular assessments. Laboratories are reviewed one year after their initial accreditation 
and biennially thereafter. The EAC has made NVLAP accreditation a requirement of its 
Voting System Test Laboratory (VSTL) Program. However, a NVLAP accreditation is not 
an EAC accreditation. The EAC is the sole Federal authority for the accreditation and 
revocation of accreditation of Voting System Test Laboratories. 


Scope. This manual provides the procedural requirements of the EAC Voting System 
Laboratory Program. Although participation in the program is voluntary, adherence to 
the program’s procedural requirements is mandatory if VSTLs choose to participate. The 
procedural requirements of this manual supersede any prior laboratory accreditation 
requirements issued by the EAC. This manual is intended to be read in conjunction with 


1.5. 


1.6. 


1.7. 


1.8. 


1.9. 


the Voting System Testing and Certification Program Manual. 


Manual Maintenance and Revision. The manual will be reviewed periodically and 
updated to meet the needs of the EAC, VSTLs, voting system manufacturers, election 
officials, and public policy. The EAC is responsible for revising this document. All 
revisions will be made consistent with federal law. Substantive input from stakeholders 
and the public will be sought whenever possible. Changes in policy requiring immediate 
implementation will be documented via policy memoranda and will be issued to each 
VSTL and manufacturer. Changes, addendums, or updated versions will also be posted 


on WWW.€aC. OV. 


Clarification of Program Requirements and Procedures. VSTLs and manufacturers may 
request clarification regarding the requirements and procedures set forth in this manual. 
Requests for interpretation must be based upon ambiguity arising from the application 
of this manual. Hypothetical questions will not be considered. Requests must be 
submitted to the Program Director in writing as described in Chapter 9 of the Voting 
System Testing and Certification Program Manual. The request must clearly identify the 
section of the manual and issue to be clarified, a proposed interpretation and all relevant 
facts. Clarifications issued by the EAC will be provided to all VSTLs and manufacturers 
and published on www.eac.gov. 


Program Personnel. All EAC personnel and contractors associated with this program are 
held to the highest ethical standards. All agents of the EAC involved in the VSTL 
Program are subject to conflict-of-interest reporting and ethics review, consistent with 
federal law and regulation. The term “Program Director” as used throughout this 
manual refers to the Voting System Testing and Certification Director. In the event of a 
vacancy in this position, the EAC Executive Director will designate staff to temporarily 
assume these duties. 


Submission of Documents. Any documents submitted in accordance with the 
requirements of this manual must be submitted electronically via secure e-mail or 
physical delivery of digital media. The submitted electronic files must be in PDF format, 
formatted to protect the document from alteration. If sent via physical delivery, by 
certified mail (or similar means that allows tracking) to the following address: 


U.S. Election Assistance Commission 

Attn: Testing and Certification Program Director 
633 3rd Street NW, Suite 200 

Washington, DC 20001 


Receipt of Documents —-VSTL. For purposes of this manual, a document, notice, or other 
communication is considered received by a VSTL upon its physical or electronic arrival 
at the VSTL’s main office. 


1.10. Receipt of Documents — EAC. For purposes of this manual, a document, notice, or other 
communication is considered received by the EAC upon its physical or electronic arrival 
at the agency. All documents received by the agency will be physically or electronically 
date stamped and this stamp will serve as the date of receipt. 


1.11. Record Retention. The EAC retains all records associated with the VSTLs. The records 
are retained or disposed in accordance with federal law. 


1.12. Publication and Release of Documents. The EAC releases documents consistent with 
the requirements of federal law. It is EAC policy to make the certification process as 
transparent as possible. Any documents (or portions thereof) submitted under this 
Program are made available to the public unless specifically protected from release by 
law. All submitted documentation must utilize the least restrictive markings possible. 
The primary means for making this information available is through www.eac.gov. 


2. Program Requirements 


2.1. 


2.2. 


2.3. 


2.4. 


Overview. This chapter lists the requirements of the VSTL Program. Adherence to these 
requirements is a condition of accreditation and a continuing obligation. Failure to 
demonstrate compliance with the requirements of this chapter may result in the denial of 
an application for accreditation, suspension of accreditation, or revocation of 
accreditation. 


NIST Recommendation. According to the Help America Vote Act of 2002, Section 
231(b), NIST must perform a technical evaluation of VSTLs and identify and recommend 
those competent to test voting systems to the EAC, unless the emergency provisions of 
Chapter 3 of this manual apply. 


NVLAP Accreditation. All VSTLs must hold a valid accreditation from NIST’s National 
Voluntary Laboratory Accreditation Program (NVLAP), unless the emergency 
provisions of Chapter 3 of this manual apply. NVLAP accreditation is the primary means 
by which the EAC ensures that each VSTL meets and continues to meet the technical 
requirements of the EAC program. It sets the standards for each VSTL’s technical, 
physical and personnel resources, as well as its testing, management, and quality 
assurance policies and protocols. The loss or suspension of a NVLAP accreditation will 
result in the suspension and possible revocation of any EAC accreditation consistent 
with the procedures of Chapter 5 of this manual. VSTLs are required to immediately 
report any change in their NVLAP accreditation status to the EAC. 


Conflict of Interest and Prohibited Practices Program 

All laboratories must maintain and enforce policies which prohibit and prevent conflicts 
of interest or the appearance of conflicts of interest. A laboratory must ensure that 
neither the laboratory, its parent corporation, contracted third-party laboratories, nor any 
individual staff member involved in the testing of voting systems have any vested 
interest in the outcome of the test processes. Laboratories must have a written policy in 
place that, at a minimum, (1) prohibits conflicts of interest and other prohibited practices, 
and (2) provides for enforcement, consistent with the subsections below. 


2.4.1. Prohibited Conflicts of Interest. The purpose of a conflict-of-interest policy is to prevent 
situations where the exercise of an official duty directly impacts the actor’s financial 
interests. For the purposes of this program, a prohibited conflict of interest exists when the 
duties and responsibilities of a laboratory, parent corporation, or a laboratory employee 
involved in the testing of voting systems under EAC’s Testing and Certification Program 
have a direct and predictable effect on the financial interest of that laboratory, parent 
corporation, or a laboratory employee. Agreements with voting system manufacturers to 
provide testing pursuant to the requirements of EAC or a State’s certification program do 
not constitute a prohibited conflict of interest. Certification testing is considered a duty and 
responsibility of a VSTL, not an outside financial interest. 


For example, an employee who is responsible for testing a voting system on behalf of a 
VSTL would be prohibited from holding a financial interest in the entity whose product is 
being tested or a direct competitor of that entity. A prohibited conflict of interest would 
also include a contractual or other fiduciary relationship between a VSTL or VSTL 
employee and a manufacturer (outside an agreement for State or Federal certification 
testing) when that VSTL or VSTL employee is concurrently responsible for conducting 
certification testing for that manufacturer under this program. 


Additionally, financial interests may be imputed or attributed to a laboratory, parent 
corporation, or a laboratory employee through a relationship with a third party. 


For example, a VSTL employee responsible for the testing of a voting system would be 
conflicted from performing his or her duties if his or her spouse owned a financial interest 
in the manufacture of the voting system. 


2.4.1.1. Involved in Testing — Defined. An organization is involved in voting system 
testing any time it contractually takes on the responsibility for testing a voting 
system to the VVSG under the EAC’s Testing and Certification Program. An 
employee is involved in voting system testing when the employee performs 
testing on the system, manages the testing process, or supervises those who 
perform testing on the system. 


2.4.1.2. Financial Interest — Defined. Financial interest means any current or contingent 
ownership, equity, or security interest in real or personal property or a business 
and may include indebtedness or compensated employment relationship. It also 
includes interests in the nature of stocks, bonds, partnership interests, fee and 
leasehold interests, and other property rights, deeds of trust, and liens, and 
extends to any right to purchase or acquire any such interest, such as a stock 
option or commodity future. 


2.4.1.3. Direct Effect — Defined. A matter will have a direct effect on a financial interest if 
there is a close causal link between any decision or action to be taken in the 
matter and any expected effect of the matter on the financial interest. An effect 
may be direct even though it does not occur immediately. A matter will not have 
a direct effect on a financial interest if the chain of causation is attenuated or is 
contingent upon the occurrence of events that are speculative or that are 
independent of, and unrelated to, the matter. A matter that influences a financial 
interest only as a consequence of its effects on the general economy does not 
have a direct effect within the meaning of this section. 


2.4.1.4. Predictable Effect — Defined. A matter will have a predictable effect if there is a 
real, as opposed to a speculative, possibility that the matter will affect the 
financial interest. It is not necessary that the magnitude of the gain or loss be 
known, and the dollar amount of the gain or loss is immaterial. 


2.4.2. 


Imputed Interests — Defined. An imputed interest is a financial interest held by a 
third-party individual or organization that serves to disqualify an employee or 
laboratory to the same extent as if they were the employee’s or laboratory’s own 
interest. These interests include: 


e the financial interests of a spouse or dependent child will be imputed to 
an employee, 

e the financial interest of any organization in which a laboratory, parent 
corporation, or a laboratory employee serves as an employee, officer, 
board member, partner, consultant, director, trustee, or similar position 
must be imputed, 

e the interests of any contracted third-party laboratory must be imputed to 
the utilizing VSTL, and 

e the financial interest of a person or organization with whom an 
employee is negotiating or has an arrangement concerning prospective 


employment must be imputed. 


Prohibited Practices. Irrespective of the existence of a conflict of interest, it is a 
prohibited practice for a laboratory, parent corporation, or laboratory 


employee to be involved in the development of a voting system or to solicit or 
receive a gift from a voting system manufacturer. 


A laboratory or individual may not be involved in both the development of a 
voting system and the certification of a system. Voting system development 
includes any testing, consultation, or design work performed in order to ready 
a specific system for the marketplace or the certification process. Any testing 
performed on behalf of a voting system manufacturer that was not performed 
pursuant to a state or federal voting system certification program is considered 
developmental in nature. 


The prohibition barring participation in both development and testing is voting 
system specific. An employee or laboratory that was previously involved in 
product development with a manufacturer is not prohibited from testing all 
systems produced by that manufacturer, just those systems in which the 
employee or laboratory participated directly in development. The prohibition 
relates to a VSTL’s prior involvement in system development. Concurrent 
development work and testing may constitute a prohibited conflict of 
interested under Section 2.4.1 of this manual. 


As voting systems are subject to change over time, for the purposes of this 
prohibition, a voting system is considered altered to the degree that it is a 
different system when: 


e aperiod of at least three years has passed since the VSTL or employee 
was involved in the system’s development, 

e the system has been subject to both software and hardware 
modification since the VSTL or employee was involved in the system’s 
development, and 

e the system has received a certification after being tested by a different 
independent laboratory since the VSTL or employee was involved in 
the system’s development. 


The prohibition barring participation in both development and testing does not 
prohibit a VSTL from allowing a manufacturer to perform onsite hardware 
mitigation on a voting system in response to a minor system failure or anomaly. 
In such cases the VSTL: 


e must suspend all hardware testing, 

e must not participate or assist the manufacturer in remediation, 

e¢ may provide testing equipment and qualified operators to the 
manufacturer for its use, 

e¢ must monitor and document the manufacturer’s access to the system 
consistent with Section 2.16 of this manual, and 

e must document in the test report the failure or anomaly and remedial 
action taken by the manufacturer consistent with Section 4.8.6.2 of this 
manual and Chapter4Section 4.9 of the Voting System Testing and 
Certification Program Manual. 


2.4.2.1. Gifts. Solicit or receive a gift, directly or indirectly, from any entity 
which holds a financial interest in the development, production, or 
sale of voting systems, or is otherwise impacted by the testing and 
certification of voting systems. A “gift” under these policies 
generally does not include items such as publicly available discounts 
and prizes, commercial loans, food not part of a meal such as coffee 
and donuts, and items of little value such as plaques and greeting 
cards. Relevant factors in making such a determination include the 
history of the relationship and whether the family member or friend 
personally pays for the gift. 


2.4.3. Program Enforcement Elements. Prohibited conflicts and practices are 
enforced through a written program which: 


2.4.3.1. Regarding Employees Involved in the Testing of Voting Systems 
e Annually collects standard information from each employee, 
including assets, debts, outside or prior activities/employment, gifts, 
and any work on voting system development sufficient to 
demonstrate compliance with Sections 2.4.1. and 2.4.2. of this 


manual. The information collection must also reflect the financial 
interests of those individuals (like spouses and minor children) 
whose interests are imputed to the employee. 

e Requires and documents the review of information collected for 
potential conflicts and prohibited practices. 


e Resolves and documents all identified conflicts of interest or 
prohibited practices prior to the employee or laboratory’s 
involvement in the testing of any voting system. Resolutions may 
include the divestiture of assets or gifts, employee resignation from 
outside organizations, or the altering of an employee’s 
responsibilities by prohibiting participation in voting system testing 
or the testing of a specific system. 


2.4.3.2. Regarding the VSTL or VSTL’s Parent Corporation 


e Annually collects information pertaining to the holdings and 
activities of the VSTL and its parent corporation(s), sufficient to 
demonstrate compliance with Sections 2.4.1. and 2.4.2. of this 
manual. 

e Requires and documents the review of collected information for 
potential conflicts and prohibited practices. 

e Resolves and documents all identified conflicts of interest or 
prohibited practices prior to the laboratory’s testing of any voting 
system. Resolutions may include the divestiture of assets or gifts, 
and the termination or rejection of conflicted or prohibited testing 
work. 


2.4.3.3. Regarding Contracted Third-Party Laboratories. The interest of a contracted third- 
party laboratory may be imputed to a VSTL. VSTLs may meet and enforce the 
program requirements of this section regarding this relationship in one of two 
ways: 


e Collect information pertaining to the holdings and activities of the 
third-party laboratory and its employees, sufficient to demonstrate 
compliance with Section 2.4.1. and 2.4.2. of this manual. This 
includes gathering information concerning any involvement by the 
third-party laboratory or its employees in the development of 
specific voting systems. This collection of information must be 
performed prior to the execution of any contract for the testing of 
voting systems under this program and annually thereafter if the 
contract exceeds one year in duration. Require and document the 
review of collected information for potential conflicts. Resolve all 
identified conflicts of interest prior to the laboratory’s testing of any 
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voting system. 


e VSTL supervision of third-party laboratories performing non-core 


testing. Where a third-party laboratory is subject to direct VSTL 
supervision and observation, the third-party laboratory’s conflicts of 


interest or prohibited practices will not be imputed to the lead VSTL. 


Direct VSTL supervision under this section requires that a VSTL 
employee is physically present during the third-party testing and 
directly observes and supervises the testing. This VSTL employee 
must: (1) have been properly vetted for conflict of interest and 
prohibited practices pursuant to Section 2.4 of this manual, (2) be 
competent to supervise the testing being performed and (3) have no 
financial interest in the third-party laboratory they are supervising. 


2.4.4. Waivers. In rare circumstances, prohibited practices or conflicts of interest may 
be waived by the EAC after the conflict or prohibited practice is properly 
disclosed to the agency. Waivers may be granted at the sole discretion of the 


Program Director. 


2.4.4.1. 


2.4.4.2. 


Requesting a Waiver. A request for a waiver must be made in writing to 
the Program Director. The request must fully disclose the conflict of 
interest or prohibited practice for which the waiver is sought, describe 
all steps taken to resolve the conflict or prohibited practice, and the 
reasons why such attempts were unsuccessful or otherwise untenable. 
The request must also state why the waiver should be granted. 


Waiver Standard. A disqualifying conflict of interest or prohibited 
practice is subject to waiver when the issuance of a waiver is in the 
best interest of the EAC’s Testing and Certification Program, and the 
identified conflict or practice is unlikely to affect the integrity or 
impartiality of the VSTL or VSTL employee’s services under the EAC’s 
Testing and Certification Program. The Program Director may 
consider the following factors in making a waiver determination: 


e The value of any disqualifying financial interest. 

e The nature and impact of any prohibited practice. 

e The role and responsibility of the employee subject to the conflict of 
interest or prohibited practice. 

e The availability of other employees, VSTLs or laboratories to 
conduct the testing without a conflict or prohibited practice. 

e The level of discretion or sensitivity required to perform the 
conflicted or prohibited duties under the certification program. 

e The ability of an EAC waiver to adjust a VSTL or VSTL employee’s 
testing process and duties or otherwise mandate additional 
safeguards which would limit or abrogate the impact of the conflict 
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2.5. 


2.6. 


2.7. 


2.8. 


2.9. 


of interest or prohibited practice. 


2.4.4.3. Issuing a Waiver. Any waiver issued by the Program Director must be made 
in writing to the requestor. The waiver must state with specificity the conflict 
of interest or prohibited practice waived, and clearly state any conditions for 
its issuance, such as mitigating processes, procedures, or safeguards. The 
VSTL is responsible for meeting all waiver conditions prior to engaging in the 
waived activity. Failure to meet such condition may result in the revocation of 
a VSTLs accreditation. 


2.4.4.4, Denying a Request for a Waiver. Any decision denying a request for a 
waiver must be made by the Program Director in writing and provided 
to the VSTL. 


Personnel Policies. All laboratories must have written policies to ensure that they do not 
employ individuals, in any capacity related to the testing of voting systems, who have 
been convicted of a felony offense or any criminal offense involving fraud, 
misrepresentation, or deception under either Federal or state law. The VSTL must have a 
program in place to enforce this policy and document such enforcement. 


Notification of Changes. All laboratories must notify the EAC in writing within 15 
calendar days of any significant changes in laboratory operations from what the 
laboratory described in any assertion that served as the basis for its EAC accreditation, 
including any assertions made to NIST’s NVLAP or to the EAC. Examples of events that 
require written notification include, but are not limited to: 


e a laboratory’s decision to withdraw from the EAC’s program, 
e changes in ownership of the laboratory, 

e achange in location of the laboratory facility, or 

e personnel changes in key staff positions. 


Site Visits. All laboratories must allow EAC representatives to enter their voting system 
testing facilities pursuant to the procedures and requirements of this manual. 


Notice of Lawsuits. All laboratories must notify the EAC of any lawsuits or claims filed 
against it, its subcontractors, subsidiaries, employees, officers, owners, operators, or 
insurers while the laboratory holds an EAC accreditation and which relate to the work 
performed in, or management of, the laboratory’s voting system testing program. 


Testing, Technical Practices, and Reporting. All laboratories must conduct testing in 
conformance with the applicable requirements of the VVSG. Additionally, the VSTL must 
create written reports of such testing in accordance with the Voting System Testing and 
Certification Program Manual, any applicable test assertions or test suites mandated by 
the EAC, and any other written guidance published by the EAC. 
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2.10. 


2.11. 


2.9.1. Test Readiness Notification. Upon completion of the Test Readiness Review (TRR), 
the VSTL must submit written statement to the EAC confirming that the voting 
system completed the TRR, and that the system is ready for certification testing to 
the applicable VVSG requirements. 


2.9.2. Test Readiness Acknowledgement. Upon receipt of the test readiness notification 
from the VSTL, the EAC must issue written acknowledgement within three 
business days of receipt of the notification. 


Test Plan. The VSTL must submit a test plan directly to the EAC consistent with the 
requirements of the Voting System Testing and Certification Program Manual, the 
applicable VVSG-this manual, and any other written guidance from the EAC. 


2.10.1. Test Case. After approval of the VSTL’s test plan, the VSTL must develop test 
cases. A test case is a system-specific-step-by-step test procedure or testing 
process that provides detailed testing operations-procedures sufficient for trained 
laboratory personnel to fully conduct a given test and produce repeatable results. 
Labs must use test assertions published by the EAC in addition to VVSG 
requirements in the development of test cases. Htest-assertions-exist fora -specifie 
requirement+tThe assertions will provide details about the requirement making it 
easier for the.VSTLs to create the-test cases. The VSTL.must provide fully 


developed, system-specific test cases to the EAC prior to test execution, and fully 

executed test cases prior to submission of the test report, or at the request of the 
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Testing. VSTLs must conduct testing in conformance with the applicable VVSG 
requirements and consistent with any written EAC interpretations of theserequirements. 
VSTLs must test system identification tools during the test campaign to ensure they 
function properly and as intended. The laboratory must maintain its technical practices 
consistent with the standards which served as the basis for its NVLAP accreditation. 
These standards include International Standard ISO/IEC 17025, General Requirements for the 
Competence of Testing and Calibration Laboratories; NIST Handbook 150, Procedures and 
General Requirement; NIST Handbook 150-22, Voting System Testing; any documents 
supplementing, updating, or replacing these standards or handbooks; and any pertinent 
EAC guidance. When conducting testing under EAC’s program, VSTLs must only conduct 
testing of voting systems consistent with the scope of their accreditation. 


2.11.1. Third-Party Testing. VSTLs may contract or provide for the testing of voting 
systems by third parties under this program. However, the VSTL is responsible for 
the accuracy, quality assurance, and results of all tests conducted. VSTLs must not 
perform, or contract for the performance of, testing outside the scope of its 
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accreditation. Testing performed directly by VSTL personnel using third-party 
contractor equipment and facilities are not considered third-party testing. 


2.11.1.1. Core Testing. Core voting system testing must only be performed by 
VSTLs. Core testing includes Technical Data Package review, physical 
configuration audit, source code review, functional configuration 
audit, system integration testing, interoperability testing, volume 
testing, accuracy testing, telecommunication testing, accessibility 
testing, usability testing,and security testing (not including 


cryptographic testing), vulnerability testing, and penetration testing. 
This list of core tests is exhaustive for all Voluntary Voting System 


Guidelines versions, both current and legacy. Not all core tests apply 
to all VVSG versions. 


Non-Core Testing. Non-core testing may be performed by non-VSTLs if 
they hold an EAC recognized accreditation to perform the relevant 
testing. The EAC recognizes two national accreditation bodies, NIST’s 
NVLAP program and the American Association of Laboratory 
Accreditation (A2LA). Generally, a VSTL may only contract or 
otherwise provide for the non-core testing of voting systems if it uses a 
NVLAP or A2LA laboratory accredited to the specific scope of testing 
necessary. Non-core testing includes electromagnetic compatibility 


testing, telecommunicationstesting-environmental testing, electrical 
testing, acoustical testing, aecessibilitytestine usability testine—and 


cryptographic testing. 


In special circumstances, VSTL’s may subcontract testing for any core 
voting system testing within its scope of accreditation. The 
subcontracted. laboratory should be aa NVLAP and EAC accredited 


VSTL authorized.to do business in the United States. When any 
specialized parts of a core test need to be subcontracted to a non- 


NVLAP-accredited laboratory, a VSTL shall first receive written 
approval by the Program Director. 


In limited circumstances, laboratories not holding a recognized 
accreditation may be used by VSTLs for non-core testing only after 
approval by the Program Director. Requests for such approval must be 
made in writing and demonstrate: 

(1) That there is no recognized laboratory available within a reasonable 
window of availability and geographic proximity (generally within the 
continental United States), and 

(2) that the VSTL has conducted a thorough assessment of the third- 
party laboratory’s capabilities, quality system, management system, 
and/or alternative accreditations and have determined and 


documented that the laboratory is qualified to perform testing. 


The EAC may visit, interview, or audit any non-accredited laboratory 
at any time before, during, or after the testing has occurred to verify 
their qualifications. 


2.11.1.2. VSTL Responsibilities. VSTLs are responsible for all tests performed on 
voting systems submitted to them by manufacturers under EAC’s 
Testing and Certification Program including testing performed by 
third-party laboratories under their direction. Any procedural or 
substantive irregularities or errors which occur during the third-party 
testing process will be imputed to the VSTL. Such failures may serve 
as a basis for the revocation of accreditation. VSTLs using third-party 
laboratories must take steps to ensure that the third-party laboratories 
they employ meet the standards of this program. At a minimum, the 
lead VSTLs must ensure: 


e The third-party laboratory provides the VSTL verifiable 
documentation regarding its relevant accreditation. 

e Any hardware tested by the qualified third-party laboratory is 
first validated by the VSTL as the same hardware presented for 
certification. 

e The third-party laboratory provides the VSTL with evidence that 
it directs its activities in compliance with any and all relevant 
VVSG requirements for testing and that the testing was, in fact, 
performed consistent with such specific requirements. Any 
special procedures, tools, or testing software necessary to meet 
VVSG requirements must be validated by the VSTL prior to use. 
For example, the VVSG requires that systems be tested while 
operating and that such operation be in manner and under 
conditions that simulate election use. In such cases, the VSTL 
must ensure that the third-party laboratory properly implements 
the VVSG requirements, validate its election simulation tools, 
and properly performed the testing. 

e The VSTL performs all system accuracy, reliability, functionality, 
and integration testing. 

e The third-party laboratory issues a report to the VSTL that fully 
documents its testing such that the VSTL may demonstrate 
compliance with this section and produce a report consistent 
with Section 2.12 of this manual. 


2.12. Test Report Package. The test report package represents the culmination of the testing 
process and must accurately and completely document the testing performed and the 
results of such testing. VSTLs must submit test report packages directly to the EAC and 


must include: 


2.12.1. Test Report. All test reports must document the testing process, including the 
documentation and justification for any divergence from the EAC-approved test 


plan, methods, or cases and the identification of all failures and/or anomalies 
along with any remedial action taken (see Chapter 4 of the Voting System Testing 
and Certification Program Manual). VSTLs must not include any proprietary test 
cases in the test report. Test reports must also document any prescribed 
maintenance or modifications, performed by the manufacturer, to a voting system 
in testing. Such maintenance or modifications must be monitored by the VSTL 
consistent with Section 2.1644 of this manual. 


2.12.2. Format. To the greatest extent possible, VSTLs must write reports that are 
understandable to non-technical persons. As the EAC is responsible for publishing 
these reports (barring portions prohibited by law), VSTLs must refrain from 
including in them trade secrets or other commercial information protected from 
release unless substantively required. Where information protected from release 
may be included, it must be identified consistent with Section 6.5Chapter 7 of this 
manual. VSTLs must format each test report consistent with the requirements of 
Appendix E of this manual. 


2.12.3. VSTL Attestation. The signature page on the VSTL’s test report must include an 
attestation stating that: 


e all testing prescribed by the test plan or amended test plan was 
performed as identified or the divergence from the test plan was 
properly documented, 

e allidentified voting system anomalies or failures were reported and 
resolved, and 

e that the test report is accurate and complete. 


2.13. Acceptance of Prior Testing. Prior testing of a voting system by a VSTL may be reused at 
the discretion of the EAC. The EAC encourages VSTLs to use such testing to fulfill 
certification requirements. The VSTL must obtain written approval from the EAC for all 
reuse requests. In order for the EAC to accept prior testing, VSTLs must provide evidence 
that the requirements below are met: 


2.13.1. The discrete software or hardware component of the voting system previously 
tested is demonstrably identical to the voting system presently offered for testing. 
VSTLs must examine and compare the components and documentation to ensure 
there is no change in the voting system. When valid prior testing is used, the 
system must be subject to regression testing, functional testing and system 
integration testing, and any other testing deemed necessary to ensure compliance 
with the VVSG and this manual. 


2.14. 


2.15. 


2.16. 


2.13.2. The requirements and relevant EAC requests for interpretation applicable to the 
prior and current testing are identical. 


2.13.3. The test methods used are equivalent or identical to current test methods accepted 
by the EAC. 


2.13.4. The prior testing was reviewed by the VSTL with no apparent errors or omissions 
and fully complies with the VVSG and this manual. 


2.13.5. Testing from previous EAC test campaigns can only be submitted for reuse if the 
EAC accepted a final test report for that campaign. 


2.13.6. The use of prior testing must be noted in the test plan and test report, with test 
report titles, numbers, and descriptions. 


Termination of Testing Prior to Completion. VSTLs must notify the EAC Program 
Director if testing is terminated prior to completion. This notification must be in writing 
and state the reason(s) for termination, provide a list of all testing completed, and produce 
a report of test anomalies or failures pursuant to Section 4.9.2 of the Voting System Testing 
and Certification Program Manual. 


2.14.1. Termination Defined. Voting system testing is considered terminated when the 
testing process is permanently ended or halted without a specific plan to 
recommence within 30 calendar days of the last test performed. 


2.14.2. Effect of Termination. Notification of termination will result in the suspension of 
the manufacturer’s certification application and will be posted on www.eac.gov. 


2.14.3. Resubmission after Termination. Manufacturers may resubmit a system 
previously terminated by submitting an updated application consistent with 
Chapter 4 of the Voting System Testing and Certification Program Manual. A 
system resubmitted to the EAC after termination must be tested by the VSTL 
identified on the original application. 


VSTL Verification of Trusted Build. At the conclusion of each test campaign, VSTLs 
must verify the trusted build and associated materials required to be escrowed in the EAC 
repository (see Section 5.3 of the Voting System Testing and Certification Program 
Manual.) 


Laboratory Independence. All laboratories must maintain their independence from voting 
system manufacturers, consistent with their roles and responsibilities as a key component 
of the EAC Certification Program. VSTLs must maintain an arm’s length relationship with 
the manufacturers and avoid even the appearance of improper conduct. In order to 
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maintain independence, VSTLs must adhere to the following independence principles and 
requirements: 


2.16.1. Testing Independence. Only the VSTL identified on a voting system’s application 
form may test or oversee the testing of that system. A manufacturer must not 
perform or participate in any testing that will serve as the basis of an EAC 
certification. Additionally, VSTLs must ensure that manufacturers do not have 
access to a system under test unless accompanied and monitored by a VSTL 
representative. The EAC recognizes that in some cases there is value in allowing 
manufacturers to witness a particular test or a re-creation of a test in order to 
allow them to comment on the proper system set up or operation. Such 
participation must be (1) at the discretion of the VSTL, (2) supervised by the VSTL, 
and (3) clearly documented in order to maintain laboratory independence. 


2.16.1.1. The VSTL may at any time, and at its own discretion, halt an active certification 
test and allow the manufacturer into the testing room for a re-creation of the test 
being performed. If the VSTL chooses to do this, it must: 


e document the time and circumstance that cause a halt in testing, 

e document the reason why the manufacturer’s presence is 
needed, 

e document the result of the test prior to re-creating the test for the 
manufacturer, and 

e document any re-running of the official EAC Certification Test. 
This documentation must include any change that occurred to 
the “as run” test case as a result of the re- creation and the result 
of the official test. 

e Have the test supervisor in charge of the project present for the 
re-creation of the test. If the tester conducting the test is also the 
test supervisor in charge of the project, one other VSTL 
employee must be present in the room during the re-creation of 
the test. Documentation of the re-creation of the test must 
include lab personnel present at the time of the re-creation; and 

e All documentation must be retained according to NVLAP and 
EAC requirements. 


2.16.1.2. The VSTL may, at its own discretion, create a closed-circuit video feed or web 
cam feed of the testing being conducted and allow for real time correspondence 
between testers and the manufacturers provided that: 


e All correspondence (i.e., letters, emails, memos, recorded video 
calls, etc.) between the testers and the manufacturer is 
documented and retained, and 

e Any changes to the testing that results from correspondence 
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2.16.2. 


216.3: 


2.16.4. 


2.16.5. 


2.16.6. 


between the manufacturers and the VSTL is signed off by the 
VSTL project manager and provided to the EAC as part of the 
test report package. 


2.16.1.3. The VSTL may, at its discretion, provide supervised access to the manufacturer 


prior to and during the testing to perform unscheduled and non-routine 


maintenance provided that: 


e All documentation related to the maintenance activities is 
recorded within the "as run" test case, and 

e Any unscheduled maintenance that is performed is documented 
in the discrepancy report and included as part of the test report 
materials. 


Decision Making. Determinations regarding testing, test requirements, and test 


results must be made on the basis and for the purpose of ensuring that the systems 


tested meet the VVSG. 


Single Laboratory Requirement. Manufacturers are prohibited from changing 
laboratories during the testing process. Once a VSTL is identified by the 
manufacturer to test a system, a test report will not be accepted by the EAC from 
any other laboratory unless authorized pursuant to Chapter 4 of the Voting 
System Testing and Certification Program Manual. This strict policy supports 
VSTLs in their independent decision-making role. VSTLs must immediately notify 
the Program Director any time a manufacturer withdraws a product from testing, 
or the testing is otherwise terminated. 


Fee for Service. All fees paid by a manufacturer to a VSTL must be solely for 
services rendered. A VSTL must reject payment that is not directly linked to 
services necessary to complete system testing and must reject payment that is 
conditioned or dependent on testing outcome. 


Communications. All substantive discussions regarding the outcome, cost, 
payment, and testing of a voting system must be documented in writing by the 
VSTL. This includes, but is not limited to letters, emails, reports, meetings, and 
telephone calls. These records must be maintained consistent with Section 2.20 of 
this manual. Examples of substantive discussions between the lead VSTL and a 
manufacturer include but are not limited to all contracts and amendments, 
discussions regarding the set up and operation of the voting system during 
testing, discussions with the manufacturer regarding the test plan, test cases, 
testing, or the test report,; and discussions regarding implementation or 
interpretation of the standards. 


Cooperation with EAC. VSTLs must cooperate with any EAC inquiries and 
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2.17. 


2.18. 


2.19. 


2.20. 


investigations into a certified system’s compliance with the VVSG and any VSTL 
testing related to that system consistent with Chapter 7 of the Voting System 
Testing and Certification Program Manual. 


2.16.7. Testing Facilities. To avoid the appearance of impropriety and otherwise maintain 
laboratory independence, VSTLs must not conduct testing at a facility that is 
owned or controlled by a manufacturer. If exceptional circumstances exist 
requiring that the VSTL use manufacturer facilities, the VSTL may request a 
waiver from the EAC. The request must be in writing to the Program Director and 
clearly state why such testing is necessary. A waiver may be granted at the sole 
discretion of the Program Director and may impose necessary restrictions, 
limitations, and requirements on testing. Waivers will be granted only in 
exceptional circumstances. 


2.16.8. Improper Influence. Any attempt by a manufacturer to unduly influence the test 
process must be immediately reported to the Program Director. The EAC will 
conduct a review of the situation and will terminate the test campaign if it is found 
that the manufacturer attempted to unduly influence testing. 


Authority to do Business in the United States. All laboratories must be lawfully entitled 
or otherwise not prohibited from doing business with the United States or its citizens or 
operating in the United States. 


Communications. All laboratories must designate and identify an individual or 
individuals who may speak for and act on behalf ofthe VSTL. VSTLs must maintain an 
open line of communication with EAC and providing prompt response to requests for 
information regarding the program. 


Resources and Financial Stability. All VSTLs must allocate sufficient resources to enable 
the laboratory to properly use and maintain its test equipment, personnel, and facility and 
to satisfactorily perform all required laboratory functions. The laboratory must maintain 
insurance policies sufficient to indemnify itself against financial liabilities, penalties that 
may result from its operations, and against the potential losses identified in its liability 
assessment. VSTLs must document solvency through demonstrating that the laboratory’s 
assets are greater than its liabilities in its audited financial statement. 


Recordkeeping. All laboratories must have a written policy regarding the proper storage, 
management, and retention of all records relating to the testing of voting systems. At a 
minimum, this policy must require all forms, reports, test records, observations, 
calculations, and derived data for all tests performed on a given voting system (or 
component of said system) be retained for a period of at least five years after the last test 
performed on that system (or component of any version of said system). The policy must 
also require that all documents are maintained in a safe and secure environment and 
stored in a manner that provides for timely identification and retrieval and kept in a data 
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format usable and available to the EAC. 


“ 
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3. Application Process 


31, 


3.2. 


Overview. This chapter sets forth the required steps laboratories must perform in order to 
receive an EAC accreditation. The process generally includes an application for and 
receipt of a NIST recommendation; receipt of an EAC invitation to apply; and the 
successful submission, acceptance, and review of an EAC application. 


NIST Recommendation. The EAC is mandated under Section 231 of the Help America 
Vote Act of 2002 (HAVA) (42 U.S.C. §15371(b)) to “... provide for the certification, de- 
certification and re-certification of voting system hardware and software by accredited 
laboratories.” As part of this process, HAVA requires the NIST to evaluate independent 
non-Federal test laboratories. NIST selects those laboratories that are technically qualified 
to test voting systems and recommends them to the EAC for accreditation. A laboratory 
must have a NIST recommendation before it may be considered for EAC accreditation. 


3.2.1. NIST Recommendation Process. NIST utilizes its NVLAP to perform this 
evaluation. NIST, through the NVLAP process, assesses laboratory technical 
capabilities, procedures, and personnel before recommending a laboratory for 
EAC accreditation. The requirements, procedures, and application process for 
requesting consideration by NIST for recommendation to the EAC may be found 
at www.nist.gov/NVLAP. 


3.2.2. Emergency EAC Accreditation without NIST Recommendation. HAVA authorizes 
the EAC to consider and accredit laboratories without a NIST recommendation (42 


U.S.C. §15371(b)(2)(B)). The EAC will accredit laboratories without a NIST 
recommendation only as an emergency action. 


e Emergency Action — Defined. The EAC will take emergency action only in 
instances where (1) there is a significant national need for accredited 
laboratory testing capacity that cannot be met by existing VSTLs, (2) the 
shortage of laboratory testing capacity may cause a disruption in the 
orderly administration of federal elections, and (3) NIST is not capable of 
timely recommendation of new laboratories to meet needs. Consistent 
with HAVA, the EAC must publish its basis for emergency action 
following the above standards. 

e Emergency Action — Process. Laboratories will be accredited by the EAC in 
an emergency action only after they have been properly assessed 
according to international standards and applicable NIST guidance. 
These standards include International Standard ISO/IEC 17025, General 
Requirements for the Competence of Testing and Calibration Laboratories; NIST 
Handbook 150, Procedures and General Requirement; NIST Handbook 150- 
22, Voting System Testing; and/or any documents supplementing, 
updating, or replacing these standards or handbooks. 

e Emergency Action — Provisional. Any accreditation provided by the EAC 
through its emergency action authority is provisional in nature and 
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3.3; 


3.4. 


limited in scope. Any laboratory accredited by the EAC through this 
emergency action should seek accreditation as soon as possible by 
submitting an application in accordance with Chapter 2 of this manual. 
The accreditation process will take place in a timely manner given (1) the 
accreditation process does not interfere with the scope of testing, (2) is 
within 60 days following a federal election, or (3) NIST becomes available 
to complete their review. Any laboratories operating out of scope, or who 
do not submit an application in a reasonable amount of time identified 


will have their emergency accreditation suspended. All emergency 
accreditations expire on a date specified by the EAC. 


EAC Invitation. After receipt of a NIST list of recommended laboratories, the EAC will 
send a letter to the laboratories inviting them to apply for EAC accreditation under the 
VSTL program. No laboratory may apply for EAC accreditation without an invitation 
from the Commission. The letter of invitation will identify the scope of accreditation for 
which the laboratory may apply. The invited laboratories must follow the application 
procedure noted in Section 3.4 of this manual-below. 


Application. EAC is the sole authority for VSTL accreditation. While NIST’s 
recommendation serves as a reliable indication of potential technical competency, the EAC 
must take additional steps to ensure technical competency and that laboratory policies are 
in place regarding issues like conflict of interest, record maintenance, and financial 
stability. Laboratories are required to submit an application requesting accreditation. The 
application must be addressed to the Program Director and include (1) all required 
information and documentation; (2) a signed letter of agreement; and (3) a signed 
certification of conditions and practices. 


3.4.1. Information and Documentation. The laboratory must submit the information and 
documents identified below as a part of its application. These documents must be 
reviewed by the EAC in order to determine whether the laboratory meets the 
program requirements identified in Chapter 2 of this manual. The laboratory must 
properly label any documents, or portions of documents, it believes are 
protected from release under federal law. 


e The legal name of the laboratory 

e Mailing address of the laboratory 

e Physical location of the laboratory (if different than the mailing address) 

e Name, phone number, and e-mail address of the voting system testing 
program manager or individual responsible for the voting system testing 
program 

e Name, phone number, and e-mail address of the titled head of the laboratory 
(i.e., CEO) 

e Name, title, phone number, and e-mail address of the individual or 
individuals designated to speak for and act on behalf of the laboratory 
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3.4.2. 


e The business contact information (such as point of contact, address, Web site, 
e-mail address) to be posted on www.eac.gov 

e The identity of the laboratory’s insurer(s), name of insured, and coverage 
limits for any comprehensive general liability policies, errors and omissions 
policies, professional liability policies, and bailee policies 

e Awritten assessment of the laboratory’s commercial general liability 

e Asigned statement certifying that it maintains workman’s compensation 
policy coverage sufficient to meet the applicable state’s minimum 
requirements 

e Acopy of the laboratory’s organizational chart that includes the names of key 
staff responsible for the testing of voting systems 

e Acopy of the laboratory’s conflict of interest policy which implements 
the standards of Section 2.4 of this manual 

e Acopy of the laboratory’s personnel policy which implements the 
standards of Section 2.5 of this manual 

e Acopy of the laboratory’s recordkeeping policy which implements the 
standards of Section 2.20 of this manual 

e _Acopy of the laboratory facilities brochure 

e Any additional documentation necessary to demonstrate conformance 


with the most recently published NVLAP Handbook 150-22 
e Acopy of the most recent annual report, the names of the current board 


of directors and the previous year’s board of directors, the names of any 
majority shareholders, and audited financial statements of the companies 
or entities that own and operate the laboratory. Laboratories not 
incorporated should provide comparable information. 


Letter of Agreement. The laboratory must submit a signed letter of agreement as a 
part of its application. This letter must be signed by an official that is vested with 
the legal authority to speak for, contract on behalf of, or otherwise bind the 
applicant laboratory. The purpose of this letter is to document that the laboratory 
is aware of, and agrees to abide by, the requirements of the EAC’s Voting System 
Test Laboratory Program. The letter must unequivocally state the following: 


The undersigned representative of____ (hereinafter “the laboratory”), being lawfully 
authorized to bind the laboratory and having read the EAC Voting System Test Laboratory 
Program Manual, accepts and agrees on behalf of the laboratory to follow the program 
requirements as laid out in Chapter 2 of this manual. The laboratory will meet all program 
requirements as they relate to NVLAP accreditation; conflict of interest and prohibited 
practices; personnel policies; notification of changes; resources; site visits, notice of 
lawsuits; testing, technical practices, and reporting; laboratory independence; authority to 
do business in the United States; VSTL communications; financial stability; and 
recordkeeping. Laboratory recognizes that meeting these program requirements is a 
continuing responsibility. Failure to meet each of the requirements may result in the denial 
of an application for accreditation, a suspension of accreditation, or a revocation of 
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3.4.3. 


accreditation. 


Certification of Laboratory Conditions and Practices. The laboratory must submit 
a signed Certification of Laboratory Conditions and Practices as a part of its 


application. A Certification of Laboratory Conditions and Practices form may be found 
in Appendix G of this manual. By signing the certification, a laboratory affirms 
that it, in fact, has in place the policies, procedures, practices, resources, and 
personnel stated in the document. Any false representations made in the 
certification process may result in the revocation of accreditation and/or criminal 
prosecution. 


3.5. EAC Review of Application Package. The Program Director must review each 
laboratory’s application package to ensure that it is complete, and that the laboratory 
meets the program requirements. Each package is reviewed to identify all apparent 
nonconformities or deficiencies. If necessary, the Program Director will notify the 
laboratory of any such nonconformities or deficiencies and provide an opportunity to cure 


problems. The Program Director will issue a recommendation to the Commissioners when 
forwarding any application package. Consistent with HAVA, a laboratory will receive its 
initial accreditation upon a vote from the Commissioners. 


ood: 
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Notice of Nonconformity. In the event the Program Director identifies (1) missing 
documentation or information and/or (2) issues of noncompliance, the Program 
Director must notify the laboratory of the deficiencies. The written notice of 
nonconformity must identify missing documentation or information and issues of 
noncompliance. The laboratory will have 10 business days to amend the 
application package or submit additional information in response to identified 
nonconformities. 


Action on Notice of Nonconformity. A laboratory’s response to a notice of 
nonconformity must include any missing documents identified in the notice, as 
well as any additional or clarifying information or documentation responsive to 
an issue of noncompliance. If a laboratory fails to provide required information or 
documentation within the required timeframe, the Program Director will reject the 
application as incomplete and return the package to the laboratory for 
resubmission consistent with the requirements of this chapter. 


Recommendation to Commissioners. After final review of the application package, 
the Program Director must forward the application package to the Chair of the 
Commission with a recommendation of disposition. 


Vote by Commissioners. Upon receipt of an application package and 
recommendation from the Program Director, the Chair of the Commission will 
forward the information to each EAC Commissioner. The Chair of the 
Commission will bring the matter to a vote, consistent with the rules of the 
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3.7. 


Commission. The measure presented for a vote will take the form of a written 
Commissioners’ Decision which (1) makes a clear determination as to 
accreditation and (2) states the basis for the determination. 


Grant of Accreditation. Upon a vote of the EAC Commissioners to accredit a laboratory, 
the Program Director must inform the laboratory of the decision, issue a Certificate of 
Accreditation, and post information regarding the laboratory on www.eac.gov. 


3.6.1. Certificate of Accreditation. A Certificate of Accreditation will be issued to each 
accredited laboratory. The certificate will be signed by the Chair of the 
Commission, or other agency authority as designated and delegated by the Chair 


of the Commission, and state: 


e The name of the VSTL; 

e The scope of accreditation, by stating the VVSG version(s) to which the 
VSTL is competent to test; 

e The effective date of the certification; and 

e The technical standards to which the laboratory was accredited. 


3.6.2. Post Information on Web Site. The Program Director will make the following 
information available on www.ecac.gov: 


e NIST’s recommendation letter 
e The Commissioner’s decision on accreditation 
e The Certificate of Accreditation 


Effect of Accreditation. Receipt of an EAC Accreditation indicates that a laboratory has 
met the applicable requirements and may serve as a VSTL under the EAC’s Testing and 


Certification Program. 


3.7.1. Scope of Accreditation. A VSTL must operate within the limits of the scope of 
accreditation as stated on its certificate of accreditation. 


3.7.2. Representation. A VSTL must not make representations regarding its 


accreditation, beyond its scope of accreditation. 


3.7.3. No Endorsement. A certificate of accreditation is not an endorsement of the 
recipient VSTL. A VSTL must not state or imply EAC endorsement. 


3.7.4. Accreditation Logo. A VSTL may display the EAC laboratory accreditation logo. 
Only the EAC authorized logo may be used. The display must be used in a 


manner consistent Sections 3.7.1. - 3.7.3 of this manual. Specifications for the 
reproduction and use of the EAC logo are found in Appendix H of this manual. 
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3.8. Denial of Accreditation. Upon a vote of the EAC Commissioners not to accredit a 
laboratory, the Program Director will inform the laboratory of the decision and post a 
copy of the Commissioners’ decision and the denial notification on www.eac.gov. 


3.8.1. Notice of Denial. The Program Director will provide written notification of the 
Commissioners’ decision. This notification will include: 


e Astatement of the decision and brief summary explanation of the basis 
for the decision, 

e Notice of the laboratory’s right to an appeal; and 

e Acopy of the Commissioners’ decision. 


3.9. VSTL Accreditation Reassessment. The accreditation of a laboratory for purposes of this 
section may not be revoked unless the revocation is approved by a vote of the 
Commission consistent with Chapter 5 of this manual. Reassessment of VSTLs shall occur 
two years from the date of their most recent Certificate of Accreditation was issued, or at 
the discretion of the EAC. VSTLs in good standing shall request reassessment of their 
accreditation by submitting an application package to the Program Director, consistent 
with the procedures of Section 3.4 of this manual, no earlier than 60 days before and no 
later than 30 days prior to the reassessment date, or a date chosen at the discretion of the 
EAC. VSTLs in good standing shall retain their accreditation while the review and 


processing of their application is pending and should circumstances leave the EAC 
without a quorum to conduct the vote as specified under Section 3.5.4 of this manual. 


3-9.3.10. Requesting Appeal. A laboratory that has been denied accreditation has the right 
to appeal. A laboratory may appeal a Denial of Accreditation by submitting a written 
appeal to the Program Director, addressed to the Chair of the EAC. The appeal must be 
submitted within 14 calendar days of receipt of the denial notification (late requests will 
not be considered). The appeal must clearly state the specific conclusions of the decision 
the laboratory wishes to appeal. Supporting documentation or other evidence may be 
submitted in support of the appeal. 


340.3.11. | EAC Action on an Appeal. Upon receipt of an appeal, the Program Director must 
provide written acknowledgement of receipt of the appeal to the laboratory. The 
notification will inform the laboratory of the next steps of the appeal base on Section 3.12+ 
of this manual. 


3443.12. | Commissioners’ Decision on Appeal. All timely appeals will be considered by the 
Commissioners. Upon receipt of an appeal, the Chair of the Commission will forward the 
appeal to each Commissioner along with the original application package, 
Commissioners’ Decision, and Program Director’s recommendation. After a reasonable 
time to review and consider the materials, the Chair of the Commission will bring the 
matter to a vote consistent with the rules of the Commission. The measure presented for a 
vote will take the form of a written Commissioners’ Decision on Appeal, that will state the 
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final determination, address the matters raised by the appeal, provide reasoning behind 
the appeal, and state the appeal decision is final. 


The Commissioners will make one of two determinations on the appeal: Grant of Appeal 
or Denial of Appeal. If the Commissioners determine that the previous decision of the 
Commission should be overturned in full then the appeal will be granted, and the 
laboratory will be granted accreditation. If the Commissioners determine that any part of 
the previous decision of the Commission should be upheld such that the requirements in 
Chapters 2 and 3 of this manual will not be met in full then the appeal will be denied, and 
the laboratory will be denied accreditation. 


3423.13. Effect of Denial of Accreditation. An EAC denial of accreditation indicates only 


that a laboratory has failed to document or demonstrate that it has the procedures, 
policies, management, or personnel in place to meet the requirements of this Program. A 
denial of accreditation is based upon current policy and procedure and is not an indicator 
of past performance. A laboratory that is denied accreditation has the right to cure any 
identified defect and reapply by resubmitting their application package consistent with 
Section 3.4 of this manual. 
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4.2. 


4.3. 


4.4. 


Certification Testing and Technical Review 


Purpose. The purpose of the Compliance Management Program is to improve the EAC’s 
VSTL Program; increase coordination, communication, and understanding between the 
EAC and its VSTLs; and improve public confidence in elections by facilitating VSTL 
accountability. The program accomplishes this by requiring personal interaction between 
EAC staff and VSTL personnel, collecting information and performing reviews to ensure 
continued compliance with program requirements, and requiring that VSTLs promptly 
remedy any identified areas of noncompliance. 


Compliance Management Program. The Compliance Management Program meets its 
purpose by gathering information on the procedures and practices of its VSTLs. There are 
three main sources of information: (1) VSTL Notifications of Changes, (2) EAC Requests 
for Documents or Information and (3) EAC Reviews. The information collected is 
reviewed by the EAC to ensure that VSTLs are meeting all program requirements. Any 
areas of noncompliance or recommendations for improvement are presented to VSTLs in a 
Compliance Management Report. 


VSTL Notification of Changes. VSTLs are obligated to report any significant changes 
regarding the information, agreements or certifications made to the EAC as a condition of 
accreditation (see Section 2.6 of this manual). Failure to report changes in conditions or 


practices may result in suspension or revocation of accreditation consistent with the 
requirements and procedures in Chapter 5 of this manual. 


Request for Information. The Program Director may request a VSTL to provide 
information to demonstrate the laboratory’s continuing compliance with the VSTL 
Program. 


4.4.1. EAC Request. A request for information must be made in writing and provide a 
reasonable timeframe for VSTL response. Requests for information take the form 
of interrogatories and may also include a request for existing documentation. 


4.4.2. VSTL Response. VSTLs must respond within the timeframe provided by the 
Program Director. If additional time is needed, VSTLs may request an extension 


that must be made within the timeframe of the original request. The grant of 
additional time is at the sole discretion of the Program Director. VSTLs must 
ensure that each question is answered completely and accurately. For 
documentation requests, VSTLs must provide copies of all documents responsive 
to the request. If any document is considered privileged or protected from release 
under federal law, it must be properly labeled. If a requested document does not 
exist, then the VSTL must state this. 


4.4.3. Failure to Respond. Failure to timely respond to a request for documents or 
information may result in a suspension or revocation of accreditation consistent 


4.5. 


4.6. 


with the requirements and procedures of Chapter 5 of this manual. 


Laboratory Review. The EAC must conduct biennial reviews of VSTLs. There are two 
parts of the review: documentation review and on-site review. The documentation review 
consists of qualified EAC personnel reviewing the VSTL’s policies and procedures to 
ensure that they meet the requirements of the VSTL Program (Chapter 2 of this manual). 
The on-site review consists of qualified EAC personnel assessing the VSTL’s personnel 
and observing testing to verify compliance with applicable VSTL documentation. 


Laboratory Review Procedure. The Program Director will determine when the review will 
be conducted for each VSTL and must notify the VSTL in writing at least 15 calendar days 
prior to the review. Reviews must be conducted with as little impact as possible on the 
activities of the VSTL. The VSTL and its employees are required to participate in the 
review and cooperate with qualified EAC personnel. The reviewer must provide the VSTL 
an exit briefing prior to the termination of the on-site review. 


4.6.1. Notice. The Program Director will coordinate the review with VSTL management. 
The review notification must include the following information: 


e Anestimated timeframe during which EAC reviewers will be on site. 

e The scope of review that will allow the VSTL to identify the documents, 
personnel, and testing it must make available to EAC reviewers. 

e The VSTL’s responsibility to coordinate and cooperate with the EAC 
throughoutthe review process. 


4.6.2. VSTL Response to Notice. Upon receipt of a notice of the review, the VSTL must 
coordinate the logistics of the review with the Program Director. In the event the 
proposed date or timeframe makes access to the required personnel, documents, 
or testing untenable, the VSTL must contact the Program Director in writing and 
identify, (1) The conflict or other problem which makes the proposed date and 
timeframe untenable, and (2) a proposed alternative date for the review. The 
acceptance of an alternative review date is at the sole discretion of the Program 
Director. 


4.6.3. Review. EAC reviewers must conduct a brief kickoff meeting with all necessary 
VSTL staff. This meeting will enable the EAC reviewers to provide an overview of 
the review and allow the VSTL to ask any questions. EAC reviewers must conduct 
reviews during the VSTL’s normal working hours. The reviewers will make every 
effort to work as efficiently as possible and avoid impacting the laboratory’s 
routine operations. The VSTL and its employees are required to cooperate with 
EAC reviewers. This cooperation includes providing a private, physical location 
for EAC personnel to review documents and speak with VSTL employees. The 
VSTL is responsible for ensuring the following: 
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4.7. 


4.6.4. 


e The reviewers have access to all requested VSTL documents. All 
documents specifically identified in the notice of the review must be 
presented to reviewers upon arrival. 

e The reviewers have access to requested personnel. The VSTL must ensure 
that key personnel for each substantive area identified in the notice of the 
review be available to EAC reviewers during the review period. 

e The reviewers have access to VSTL facilities involved in the testing of 
voting systems, including the facilities of third-party contractor 
laboratories. 


Exit Briefing. EAC reviewers must conduct an informal exit briefing with the 
VSTL. The briefing must identify any documents, information, or personnel which 
the VSTL remains responsible for making available to the reviewers; inform the 
VSTL of the next steps in the review process; and provide the VSTL an 
opportunity to ask questions. 


EAC Compliance Management Reports. The EAC must issue a written compliance 


management report after performing any review, and after a request for information or 


VSTL notification of change when either indicates a noncompliance with program 


requirements. All reports must provide a brief summary of the review process, request for 


information or VSTL notification of change, state any findings resulting from the review, 


and identify any corrective action that may be required. 


4.7.1. 


4.7.2. 


4.7.3. 


Purpose. The purpose of the report is to provide the VSTL with EAC’s findings 
regarding its program so that noncompliant items can be identified, and rectified, 
exceptional practices may be identified and encouraged, and recommendations 
may be put forth in an effort to improve the VSTL’s program. 


Summary of Process. The summary provides background information regarding 
how the information supporting EAC findings was collected including identifying 
sources of information, methodology, and standards. The summary states the 
date(s) of the review, type of review, the program areas reviewed including 
specific documents, personnel discussions that were integral to the report 
findings, and the processes used by the reviewers to determine compliance. 


Findings. The report must include all findings of the review, any requests for 
information, and any VSTL Notifications of Change. Findings are the results of the 
audit and include conformities and nonconformities to this program’s 
requirements. Audit findings may lead to the identification of risks, opportunities 
for improvement, or recording good practices. Reports will identify two types of 
nonconformities: 


e Major. A major nonconformity is a failure that is fundamentally critical to 
the VSTL’s technical capability to test voting systems and is a violation 
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that compromises the integrity of the EAC’s Testing and Certification 
Program. Examples of major nonconformities would be a total 
breakdown of a system, process, or procedure, multiple minor 
nonconformities related to the same process, or unauthorized 
documentation changes. 

e Minor. A minor nonconformity is a failure to conform to a requirement 
that is not likely to result in a failure of the quality management system. 
It may be a single observed lapse or isolated incident where there is 
minimal risk of nonconforming product being released to the customer. 
Examples of minor nonconformities would be a document with an 
unauthorized change, a missing training record, or an instrument past its 
calibration date. 


4.8. Corrective Action. Corrective action is required if nonconformities are identified. Ifa 
nonconformity occurs, the VSTL must: 


4.8.1. React to the nonconformity and, as applicable: 


e take action to control and correct it, 
e address the consequences, and 
e challenge the nonconformity. 


4.8.2. Evaluate the need for action to eliminate the cause(s) of the nonconformity so that 
it does not recur or occur elsewhere by: 


e reviewing and analyzing the nonconformity, 
e determining the causes of nonconformity, and 
e determining if similar nonconformities exist or could potentially occur. 


4.8.3. Implement any action needed. 

4.8.4. Review the effectiveness of any corrective action taken. 

4.8.5. Update risks and opportunities determined planning, if necessary. 
4.8.6. Make changes to the management system, if necessary. 


4.8.6.1. Challenging Nonconformities. The VSTL may challenge a nonconformity if it 
believes its procedures and practices were in compliance with program 
requirements at the time of the review. Written challenges must be filed within 
five calendar days of receipt of the report, and must state the basis for the 
challenge, address the facts and conclusions in the EAC report, and provide 
information that clearly documents that the VSTL was in compliance at the time 
of the review. The Program Director must accept or reject a VSTL’s challenge in 
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writing. If a challenge is accepted, no corrective action is required. If the 
challenge is rejected, the VSTL has 20 calendar days from receipt of the notice of 
rejection to perform remedial action. 


4.8.6.2. Conducting Remedial Action. VSTLs may submit a remedial plan within 20 
calendar days of receipt of the report. The remedial plan must identify each 
nonconformity, outline the steps to be taken to achieve compliance, state the 
timeframe for each step, and identify the means and final date by which the 
VSTL will be compliant. A remedial plan is subject to approval from the 
Program Director. A VSTL’s failure to obtain approval of a remedial plan or 
unauthorized deviation from an approved plan’s requirements or deadlines will 
result in suspension of accreditation. 


4.8.6.3. EAC Approval of Remedial Plan, The Program Director must work with the VSTL 
to develop a remedial plan that will bring the VSTL into compliance. The 
Program Director must provide written approval of the VSTL’s remedial plan. 


4.8.6.4. VSTL Implementation of a Remedial Plan. After the remedial plan has been 
approved by the Program Director, the VSTL has 20 calendar days to implement 
its plan. The VSTL must not deviate from the plan’s procedures and the 
associated requirements or deadlines without the written consent of the 
Program Director. Failure to follow the remedial plan will result in the 
termination of the cure process. A determination to terminate the cure process 
must be made in writing by the Program Director. 


4.8.6.5. EAC Verification of Remedy. Upon a VSTL’s completion of the remedial plan, the 
Program Director must verify compliance. 


If the Program Director determines that the remedial plan was not completed, 
the cure process will be terminated. A determination to terminate the cure 
process must be made in writing by the Program Director. 


If the Program Director determines that the remedial plan was completed, the 
Program Director must provide the VSTL a Notice of Compliance and 
recommend accreditation to the Commissioners. 


Suspension of Accreditation. The purpose of suspension is to ensure that a noncompliant 
VSTL ceases to test voting systems. The VSTL will have 20 calendar days to implement its 
remedial plan as outlined in Section 4.8 of this manual. If the remedial plan is not 
implemented, the Program Director must issue a Decision on Suspension. The decision 
will state (1) the decision of the Program Director, (2) the basis for; and reasoning behind; 
the decision, and (3) the VSTL’s obligations and rights during suspension (if applicable). A 
Decision on Suspension will be provided to the VSTL, issued to all registered 
manufacturers, and posted on www.eac.gov. 
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4.10. 


4.11. 


4.9.1. Effect of Suspension. A suspended VSTL must immediately cease all testing of 
voting systems under the EAC’s Testing and Certification Program. Any testing 
performed by a suspended VSTL will not be accepted by the EAC. Any period of 
suspension must be clearly documented in a VSTL’s test report. Testing under the 
EAC’s Testing and Certification Program will not resume unless the suspension is 
lifted. 


4.9.2. Challenge of Suspension. The VSTL will have 10 calendar days to challenge its 
suspension. The VSTL must challenge the factual finding(s) that serve as the basis 
for its suspension and must provide documentation in support of its challenge. 


If the Program Director does not receive a documented challenge within the 10- 
day window or deems the challenge to be insufficient, the Program Director must 
submit a recommendation to revoke the VSTL’s accreditation to the EAC 
Commissioners. 


If the Program Director determines that the documented challenge addresses the 
nonconformities, the Program Director must provide the VSTL a Notice of 
Compliance and recommend accreditation to the EAC Commissioners. 


Risks and Opportunities. The VSTL must consider the risks and opportunities associated 
with its activities in order to: 


e give assurance that the management system achieves its intended results, 

e enhance opportunities to achieve the purpose and objectives of the VSTL, 

e prevent, or reduce, undesired impacts and potential failures in the laboratory 

activities, and 

e achieve improvement. 
The VSTL must plan actions to address these risks and opportunities, and how to integrate and 
implement these actions into its management system and evaluate the effectiveness of these 
actions. 


Actions taken to address risks and opportunities must be proportional to the potential impact on 
the validity of VSTL’s results. Options to address risks can include identifying and avoiding 
threats, taking risk in order to pursue an opportunity, eliminating the risk source, changing the 
likelihood or consequences, sharing the risk, or retaining risk by informed decision. 


Improvement. The VSTL must identify and select opportunities for improvement and 
implement any necessary actions. Opportunities for improvement can be identified 
through the review of the operational procedures, the use of the policies, overall 
objectives, audit results, corrective actions, management review, suggestions from 
personnel, risk assessment, analysis of data, and proficiency testing results. The VSTL 
must seek feedback, both positive and negative, from its customers. The feedback must be 
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analyzed and used to improve the management system, VSTL activities, and customer 
service. Examples of the types of feedback include customer satisfaction surveys, 
communication records, and review of reports with customers. 
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5. Grant of Certification 


5.1. Overview. This chapter describes the process for revoking the accreditation of a VSTL. 
The EAC will revoke an accreditation upon a factual finding that a VSTL has failed to 
remedy a nonconformity. Revocation of Accreditation is a three-step process: (1) 
suspension of accreditation, (2) Commissioners’ Decision on Revocation of Accreditation, 
and (3) notify NIST NVLAP of revocation. 


5.2. Revocation. The EAC monitors VSTL compliance through (1) the VSTL’s continuing 
obligation to provide EAC Notifications of Changes, (2) EAC’s authority to issue Requests 
for Information, and (3) the performance of VSTL Reviews. The process to revoke a VSTL’s 
accreditation will be initiated after an opportunity to remedy nonconformities as 
described in Section 4.8 of this manual. 


5.3. Commissioners’ Decision on Revocation of Accreditation. Pursuant to HAVA, a VSTL 
may have its accreditation revoked only by a vote of the Commissioners. The Program 
Director will provide each Commissioner with all relevant documentation including: 


e the VSTL’s submission to challenging suspension, 

e the Compliance Management Report, 

e any documents pertaining to challenges or remedial plans provided by the VSTL 
in response to a relevant Compliance Management Report, and 

e a Program Director recommendation as to disposition. 


5.3.1. Consideration. Each Commissioner will review and consider all relevant materials 
that have been provided. A Commissioner may request the Program Director to 
provide additional materials or information. Such requests and any responsive 
materials must be provided to each Commissioner. The Chair of the Commission 
will ensure that each Commissioner has sufficient time to consider the relevant 
material before a vote is called. 


5.3.2. Process. The Chair of the Commission will bring the Decision of Revocation of 
Accreditation to a vote consistent with the rules of the Commission. The measure 
presented for a vote will take the form of a written Commissioners’ Decision on 
Revocation that determines: 


5.3.2.1. Program Compliance. If the VSTL demonstrates that it meets all program 
requirements, successfully challenging all previous findings of noncompliance, 
the Commissioners will find the VSTL compliant, lift the VSTL’s suspension, 
and issue a Certificate of Accreditation. 


5.3.2.2. Revocation of Accreditation. If the VSTL does not demonstrate that it meets all 
program requirements and at least one previous finding of noncompliance 
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5.4. 


stands, the Commissioners will find the VSTL to be noncompliant and issue a 


Revocation of Accreditation. 


5.3.3. Publication of Decision. After a vote of the Commissioners adopting a Decision on 
Revocation, the Program Director must notify the VSTL, all EAC-registered 
manufacturers, and the Director of NIST, and post the decision on www.eac.gov. 


Effect of Revocation of Accreditation. A revocation of accreditation is effective upon the 
vote of the Commissioners. VSTLs that have had their accreditation revoked may no 
longer test voting systems or submit test reports under the EAC Certification Program. The 
VSTLs may not represent themselves as accredited by the EAC. A VSTL which has had its 
accreditation revoked may reapply for EAC accreditation consistent with the requirements 


in Chapter 2 of this manual, only after the EAC receives a new recommendation for their 
participation from NIST. Where a revocation of accreditation results in the termination of 
testing prior to completion, the VSTL must provide information to the EAC consistent 
with Section 2.140-7 of this manual. Manufacturers may request the EAC grant permission 
to replace their lead VSTL pursuant to sSection 4.3:4.22.16.3 of this manual and Section 


4.2.3 of the Voting System Testing & Certification Program Manual. 
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6. Denial of Certification 

6.1. Overview. VSTLs participating in the Certification Program are required to provide the 
EAC with a variety of documents. In general, these documents are releasable to the public 
and, in many cases, the information provided will be published by the EAC. In limited 
cases, documents may not be released if they include trade secrets, confidential 
commercial information, or personal information. While the EAC is ultimately responsible 
for determining which documents are protected by federal law from release, VSTLs must 
identify the information that they believe should be protected and provide substantiation 
and a legal basis for withholding such information. This chapter discusses EAC’s general 
policy on the release of information and provides VSTL’s with the standards, procedures, 
and requirements for identifying documents as trade secrets or confidential commercial 
information. 


6.1.1. Requests for information. The public may request access to Certification Program 
documents under FOIA (5U.S.C. §552). The EAC must promptly process such 
requests per the requirements of that Act. 


6.1.2. Publication of documents. The EAC must publish program documents (or 
portions of documents) through the use of www.eac.gov. The published 
documents will cover the full spectrum of the program, including information 
pertaining to: 


e Accredited VSTLs 

e VSTL test plans 

e VSTL test reports 

e Agency decisions 

e Denials of certification 

e Issuance of certifications 

e Compliance management reports 

e Suspensions or revocation of accreditations 
e Other topics as determined by the EAC. 


6.1.3. Trade Secrets and Confidential Commercial Information. Federal law places a 
number of restrictions on a Federal agency’s authority to release information to 
the public. Exemption 4 of the FOIA protects "trade secrets and commercial or 
financial information obtained from a person [that is] privileged or confidential." 
The exemption covers two distinct categories of information in federal agency 
records, (1) trade secrets, and (2) information that is (a) commercial or financial, 
and (b) obtained from a person, and (c) privileged or confidential. Both types of 
information are explicitly prohibited from release by the FOIA and the Trade 
Secrets Act (18 U.S.C. §1905). 


6.2. Trade Secrets. A trade secret is "information, including a formula, pattern, compilation, 
program, device, method, technique, or process that: 


38 


« Derives independent economic value, actual or potential, from not being 
generally known to, and not being readily ascertainable by proper means by, 
other persons who can obtain economic value from its disclosure or use; and 

« Is the subject of efforts that are reasonable under the circumstances to maintain its 
secrecy.” 


Trade secret relates to the productive process itself, describing how a product is 
made. It does not relate to information describing end product capabilities, 
features, or performance. The following examples illustrate productive processes 
that may be considered as trade secrets: 


e Plans, schematics, and other drawings useful in production. 

e Specifications of materials used in production. 

e Voting system source code used to develop or manufacture software where 
release of this information would reveal actual programming details. 

e Technical descriptions of manufacturing processes and other secret 
information relating directly to the production process. 


The following examples are likely not considered as trade secrets: 


e Information pertaining to a finished product’s capabilities or features. 

e Information pertaining to a finished product’s performance. 

e Information regarding product components that would not reveal any commercially 
valuable information regarding production. 


6.3. Privileged or Confidential Commercial Information. Privileged or confidential 
commercial information consists of information submitted by a VSTL that is commercial 
or financial in nature. 


6.3.1. Commercial or Financial Information. The terms commercial and financial should be 
given their ordinary meanings. They include records in which a submitting VSTL 
has any commercial interest. 


6.3.2. Privileged or Confidential Information. Commercial or financial information is 
privileged or confidential if the disclosure of such information would likely cause 
substantial harm to the competitive position of the submitter. The concept of harm 
to one’s competitive position focuses on harm flowing from a competitor’s 
affirmative use of the proprietary information. This does not include incidental 
harm associated with upset customers or employees. 


6.4. EAC’s Responsibilities. The EAC is ultimately responsible for determining whether or 
not a document (in whole or in part) may be released pursuant to federal law. In doing so, 
the EAC will require information and input from the VSTL submitting the documents. 
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This requirement is essential for the EAC to identify, track, and make determinations on 
the large volume of documentation it receives. The EAC has the following responsibilities 
in regard to the submitted documentation: 


6.4.1. Managing Documentation and Information. The EAC must control the 
documentation it receives by ensuring that documents are secure and released to 
third parties only after appropriate review and determination. 


6.4.2. Contacting a VSTL on Proposed Release of Potentially Protected Documents. In 
the event that a member of the public submits a FOIA request for documentation 


provided by a VSTL or the EAC or otherwise proposes the release of such 
documents, the EAC must take the following actions: 


6.4.2.1. Review the documents to determine if they are potentially protected from 
release as trade secrets or confidential commercial information. The documents 
at issue may have been previously identified as protected by the VSTL when 
submitted (see Section 46.4.below6.5.0f this manual) or identified by the EAC 
during review. 


6.4.2.2. Grant the submitting VSTL an opportunity to provide input. In the event the 
information has been identified as potentially protected from release as a trade 
secret or confidential commercial information, the EAC must notify the 
submitter and allow the submitting VSTL an opportunity to submit its position 
on the issue prior to release of the information. The submitter must respond 
consistent with Section 6.5.2 of this manual+-belew. 


6.4.3. Final Determination on Release. After providing the submitter of the information 
an opportunity to be heard, the EAC will make a final decision on release and 
must inform the submitter of this decision. 


VSTL’s Responsibilities. Although the EAC is ultimately responsible for determining if a 
document, or any portion thereof, is protected from release as a trade secret or confidential 
commercial information, the VSTL is responsible for identifying documents, or portions of 
documents, it believes warrant such protection. The VSTL is responsible for providing the 
legal basis and substantiation for its determination regarding the withholding of a 
document. This responsibility arises in two situations: (1) upon the initial submission of 
information and (2) upon notification by the EAC that it is considering the release of 
potentially protected information. 


6.5.1. Initial Submission of Information. When a VSTL is submitting documents to the 
EAC, it is responsible for identifying any document or portion of a document that 
it believes is protected from release by federal law. VSTLs must identify protected 
information by taking the following action: 
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6.5.1.1. Submitting a Notice of Protected Information. This notice must identify the 
document, document page, or portion of a page that the VSTL believes should 
be protected from release. This identification must be done with specificity. For 
each piece of information identified, the VSTL must state the legal basis for its 
protected status. 


e Cite the applicable law that exempts the information from 
release. 

e Clearly discuss why that legal authority applies and why the 
document must be protected from release. 

e Ifnecessary, provide additional documentation or information. 
For example, if the VSTL claims a document contains 
confidential commercial information, it would also have to 
provide evidence and analysis of the competitive harm that 
would result upon release. 


6.5.1.2. Label Submissions. Label all submissions identified in the notice as “Proprietary 
Commercial Information.” Label only those submissions identified as protected. 
Attempts to indiscriminately label all materials as proprietary renders the 
markings moot. 


6.5.2. Notification of Potential Release. In the event a VSTL is notified that the EAC is 
considering the release of information that the VSTL thinks may be protected, the 
VSTL must respond to the notice in writing within 15 calendar days. VSTLs that 
do not respond within the 15-day deadline will be viewed as not objecting to 
release. If the VSTL objects to the release, the response must clearly state which 
portions of the document should be protected from release. 


Personal Information. Certain personal information is protected from release under FOIA 
and the Privacy Act (5 U.S.C. §552a). This information includes private information about 
a person that, if released, would cause the individual embarrassment or constitute an 
unwarranted invasion of personal privacy. The EAC does not require the submission of 
private, individual information and the incidental submission of such information should 
be avoided. If a VSTL believes it is required to submit such information, it should contact 
the Program Director. Examples of such information include: 


e Social security number 
e Bank account numbers 
e Home address 

e Home phone number 
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Appendix A — Glossary 
Definitions. For purposes of this manual, the terms listed below have the following 
definitions. 


Appeal. A formal process by which the EAC is petitioned to reconsider a decision. 


Applicant Laboratory. An independent, non-Federal laboratory which has applied for 
EAC accreditation after receipt of an invitation. 


Certification Program. The EAC Voting System Testing and Certification Program 


Commercial-Off-the-Shelf (COTS). Hardware or software components that are widely available 
for purchase and can be integrated into special-purpose systems. 


Commission. The U.S. Election Assistance Commission, as an agency. 


Commissioners. The serving commissioners of the U.S. Election Assistance 
Commission. 


Component. An identifiable and discrete part of the larger voting system essential to 
the operation of the voting system, and an immediate subset of the system to which it 
belongs. 


Days. Calendar days, unless otherwise noted. When counting days, for the purpose of 
submitting or receiving a document, the count begins on the first full calendar day after 
the date the document was received. 


Decision Authority. The EAC Executive Director or Executive Director’s designee. 


Election Official. A State or local government employee who has as one of his or her 
primary duties the management or administration of a Federal election. 


Federal Election. Any primary, general, runoff, or special election in which a candidate 
for Federal office (President, Senator, or Representative) appears on the ballot. 


Fielded Voting System. A voting system purchased or leased by a state or local 
government that is being used in a Federal election. 


Gift. A gift includes any gratuity, favor, discount, entertainment, travel, service, 
hospitality, loan, meal, forbearance, or other item having monetary value. 


Integration Testing. The end-to-end testing of a full system configured for use in an 
election to assure that all legitimate configurations meet applicable guidelines. 


42 


Manufacturer. The entity with ownership and control over a voting system submitted 
for certification. 


Minor Change Order. A minor change order is a change to a certified voting system’s 
hardware, software, Technical Data Package (TDP), or data, the nature of which does 
not materially alter the system’s reliability, functionality, capability, or operation. Any 
changes made to a system under test will result in the manufacturer supplying a list and 
detailed description of all changes. 


Modification. Any change to a previously EAC-certified voting system’s hardware, 
software, or firmware that is not classified as a minor change order or new system. 


Program Director. The individual responsible for administering and managing the 
Testing and Certification Program. 


Proprietary Information. Commercial information or trade secrets protected from 
release under the Freedom of Information Act (FOIA) and the Trade Secrets Act. 


Qualified EAC Personnel. Qualified EAC personnel have attained ISO/IEC 17025 
internal auditing credentials. 


Recommended Laboratory. A laboratory recommended for EAC accreditation by the 
Director of NIST after evaluation by NVLAP. 


Scope of Accreditation. The version or versions of the Federal Voluntary Voting System 
Guidelines (VVSG) to which a VSTL is authorized to test. 


System Identification Tools. Tools created by a manufacturer of voting systems which 
allow elections officials to verify that the hardware and software of systems purchased 
are identical to the systems certified by the EAC. 


Test Assertion. Test assertions contain granular conditions that must be tested to 
determine conformance to a specific VVSG requirement. The intent is to break down 
requirements that are open to interpretation, into unambiguous, specific, and testable 


conditions. 


Third-Party Laboratory. A laboratory contracted or otherwise providing testing services 


to a VSTL to meet program requirements. 


Trusted Build. A software build where source code is converted into machine- 
readable binary instructions (executable code) in a manner providing security 
measures which help ensure that the executable code is a verifiable and faithful 
representation of the source code. 
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Voluntary Voting System Guidelines (VVSG). Voluntary voting system guidelines 
developed, adopted, and published by the EAC. The guidelines are identified by 


version number and date. 


Voting System. The total combination of mechanical, electromechanical, and electronic 
equipment (including the software, firmware, and documentation required to program, 
control, and support the equipment) that is used to define ballots, cast and count votes, 
report or display election results, interface the voting system to the voter registration 
system, and maintain and produce any audit trail information. 


Voting System Test Laboratories (VSTLs). Laboratories accredited by the EAC to test 


voting systems to EAC approved voting system standards 
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Appendix B — References 
References. The following documents are referenced in this manual. For dated references, 
only the edition cited applies. For undated references, the latest edition of the referenced 
document (including any amendments) applies. 


e ISO/IEC 17011, Conformity assessment- General requirements for accreditation bodies 
accrediting conformity assessment bodies. 

e ISO/IEC 17025, General requirements for the competence of testing and calibration 
laboratories. 

e NIST Handbook 150, (NVLAP) Procedures and General Requirements. 

e NIST Handbook 150-22, (NVLAP) Voting System Testing. 
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Appendix C - Voting System Test Plan Outline 


This outline is provided solely as an aid to test plan development. Note that these items may 
change significantly, depending on the specific project planned. 


1.Introduction 

1.1.References 

1.2.Terms and Abbreviations 

1.3.Testing Responsibilities 

1.3.1.Project schedule with 

1.3.1.1.0Wner assignments 
1.3.1.2.Test case development 
1.3.1.3.Test procedure development and validation 
1.3.1.4.3rd party tests 
1.3.1.5.EAC and manufacturer dependencies 

1.4.Target of Evaluation Description 
1.4.1.1.System Overview 
1.4.1.2.Block diagram 
1.4.1.3.System Limits 
1.4.1.4.Supported Languages 
1.4.1.5.Supported Functionality 
1.4.1.6.Standard VVSG Functionality 
1.4.1.7.Manufacturer Extensions 

2.Pre-Certification Testing and Issues 
2.1.Evaluation of prior VSTL testing 


2.1.1.Reason for testing and results, listing of modifications from the previous system to the 
system to be tested 


2.2.Evaluation of prior non-VSTL testing 
2.2.1.Reason for testing and results, states, other 3rd party entities 
2.3.Known Field Issues 


2.3.1.Listing of relevant issues uncovered during field operations 


3.Materials Required for Testing 


3.1.Software 
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3.2.Equipment 
3.3.Test Materials 
3.4.Deliverable Materials 


4.Test Specifications 
4.1.Requirements 
4.1.1.Mapping of requirements to equipment type and features 
4.1.2.Rationale for why some requirements are not applicable for this campaign 
4.2.Hardware Configuration and Design 
4.3.Software System Functions 
4.4.Test Case Design 
4.4.1. Hardware Qualitative Examination Design 
4.4.1.1.Mapping of requirements to specific interfaces 
4.4.2. Hardware Environmental Test Case Design 
4.4.3.Software Module Test Case Design and Data 
4.4.4.Software Functional Test Case Design and Data 
4.4.5.System-level Test Case Design 
4.5.Security functions 
4.6.TDP evaluation 
4.7.Source Code review 
4.8.Q0A & CM system review 
5.Test Data 
5.1.Data Recording 
5.2.Test Data Criteria 
5.3.Test Data Reduction 
6.Test Procedure and Conditions 
6.1.Facility Requirements 
6.2.Test Set-up 
6.3.Test Sequence 


7.Test Operations Procedures 
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Appendix D - Voting System Modification Test Plan Outline 
This outline is provided solely as an aid to test plan development. Note that these items may 
change significantly, depending on the specific project planned. 


1. Introduction 
1.1Description and Overview of EAC-certified system being modified 
1.1.1 Complete definition of the baseline certified system. 


1.1.2 Detailed description of the engineering changes and/or modifications to the 
certified system and why the modification was implemented. 


1.1.3 An initial assessment of the impact that the modifications have on the system and 
past certification. 


1.1.4 Description of what will be regression tested to establish assurance that the 
modifications have no adverse impact on the compliance, integrity or performance 
of the system. 


1.2References 
1.3Terms and Abbreviations 
1.4Project Schedule 
1.5Scope of testing 
1.5.1 Block diagram (if applicable) 
1.5.2 System limits (if applicable) 
1.5.3 Supported Languages 
1.5.4 Supported Functionality 
1.5.5 VVSG 
1.5.6 RFIs 
1.5.7 NOCs 
2. Pre-Certification Testing and Issues 
2.1Evaluation of prior VSTL testing 
2.2Evaluation of prior non-VSTL testing (if applicable) 
2.3Known Field Issues (if applicable) 
3. Materials Required for Testing 
3.1Software 
3.2Equipment 
3.3Test Materials 
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3.4Deliverables 

3.5Proprietary Data 
4. Test Specifications 

4.1Requirements 


4.1.1 Mapping of requirements to equipment type and features 


4.1.2 Rationale for why some requirements are NA for this campaign 


4.2Hardware Configuration and Design (if applicable) 
4.3Software System Functions (if applicable) 
4.4Test Case Design 
4.4.1 Hardware Qualitative Examination Design (if applicable) 
4.4.2 Hardware Environmental Test Case Design (if applicable) 
4.4.3 Software Module Test Case Design and Data (if applicable) 
4.4.4 Software Functional Test Case Design and Data (if applicable) 
4.4.5 System-level Test Case Design 
4.5Security functions (if applicable) 
4.6TDP evaluation 
4.7Source Code review (if applicable) 
4.8QA & CM system review 
5. Test Data 
5.1Test Data Recording 
5.2Test Data Criteria 
6. Test Procedure and Conditions 
6.1Test Facilities 
6.2Test Set-up 
6.3Test Sequence 


6.4Test Operations Procedure 
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Appendix E — Voting System Test Report Outline 


Test Reports produced by VSTLs must follow the format outlined below. Deviations from this 
format may be used upon prior written approval of the Program Director. 
1. System Identification and Overview 
2. Certification Test Background 
ZA. Revision History 
Bids Implementation Statement 


3. Test Findings 


3.1. Summary Finding 
3.2. Anomalies 
3.3. Correction of Deficiencies 


Appendix A. Additional Findings 

Appendix B. Warrant of Accepting Change Control Responsibility 
Appendix C. Trusted Build 

Appendix D. Test Plan 

Appendix E. State Test Reports 
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Appendix F - Voting System Modification Test Plan Outline 


Test Reports produced by VSTLs must follow the format outlined below. Deviations from this 
format may be used upon prior written approval of the Program Director. 


1. Introduction 
1.1 Description of EAC-certified system being modified 
1.2 References 
1.3 Terms and Abbreviations 
2. Certification Test Background 
2.1 Revision History 
2.2 Scope of testing 
2.2.1 Modification Overview 
2.2.1.1 Detailed list of changes 
2.2.2 Block diagram (if applicable) 
2.2.3 Supported Languages 
2.2.4 VVSG 
2.2.5 RFIs 
2.2.6 NOCs 
3. Test Findings and Recommendation 
3.1Summary Finding and Recommendation 
3.1.1 Hardware Testing 
3.1.2 System Level Testing 
3.1.3 Source code review 
3.2Anomalies and Resolutions 
3.3Deficiencies and Resolutions 
4. Recommendation for Certification 
Appendix A. Additional Findings 
Appendix B. Deficiency report (if applicable) 
Appendix C. Anomaly report (if applicable) 
Appendix D. Test Plan 
Appendix E. State Test Reports (if applicable) 


Appendix G - Certification of Laboratory Conditions and Practices 
Form 


CERTIFICATION OF LABORATORY CONDITIONS AND 
PRACTICES 


I, the undersigned, having investigated or caused to be investigated each matter, below; 
certify, affirm and acknowledge that each of the following numbered statements are true and 
otherwise accurately reflect the status, condition and operations of 
(hereinafter “Laboratory”). I understand that by certifying the 
information below, I am making a statement or representation to the U.S. Election Assistance 
Commission required for receiving a Laboratory Accreditation under 42 U.S.C. 
§15371(b). I further understand, that to the extent any of the below representations or 
certifications are found to be materially false, the U.S. Election Assistance Commission may 
revoke any Accreditations granted to the above-named laboratory and that I may be subject 
to criminal prosecution under 18 U.S.C. §1001. 


1. Signing Official. I hereby certify that I am an officer, partner or other official vested with 
the legal authority to speak for, contract on behalf of, or otherwise bind the above noted 
company, corporation, partnership or organization (Laboratory). 


2. Personnel. I certify, consistent with Section 2.54. of the EAC Voting System Test Laboratory 
Program Manual (hereinafter Laboratory Manual), that the laboratory has written policies 
in place to ensure that it does not currently, and will not in the future, employ any 
individuals in any capacity related to the testing of voting systems who have been 
convicted of a felony offense or any criminal offense involving fraud, misrepresentation, 
or deception under either Federal or State law. 


3. Conflicts of Interest and Prohibited Practices. I certify, consistent with Section 2.45. of 
the Laboratory Manual, that the Laboratory maintains and enforces written policies 
which: 


a. Prohibit conflicts of interest or the appearance of conflicts of interest pursuant to 
Section 2.4.1. of the Laboratory Manual. 


b. Prohibit practices such as participation in both the development and testing of a 
voting system or the solicitation or acceptance of gifts from a voting system 
manufacture pursuant to Section 2.4.2. of the Laboratory Manual. 


c. Provide clear mechanisms for enforcement of the prohibitions noted above 


pursuant to Section 2.4.3. of the Laboratory Manual. 


4. Financial Stability. I certify, consistent with Section 2.19. of the Laboratory Manual, that 
the laboratory possesses sufficient resources to enable it to properly use and maintain its 
test equipment and facility, to satisfactorily perform all required functions, and to 
adequately indemnify itself against financial liabilities or penalties that may result from 
its operations. 


5. Authority to do Business in the United States. I certify, consistent with Section 2.17. of 
the Laboratory Manual, that the Laboratory is lawfully entitled or otherwise not 
prohibited from doing business with the United States or its citizens or operating in the 
United States. 


6. Recordkeeping. I certify, consistent with Section 2.20. of the Laboratory Manual, that the 
laboratory operates and manages a records system in which it maintains all forms, reports, 


test records, observations, calculations, and derived data for all tests performed for a 
period of at least 5 years. 


I, by signing my name below, certify, affirm and acknowledge, under penalty of federal law, 
that each of the above numbered paragraphs accurately represent the operations, conditions, 
and practices of (Laboratory). 


Signed this day, 


(Signature) 


(Name of Signing Official) 


(Title of Signing Official) 


Appendix H —- Specification for Reproduction and use of the EAC 
Laboratory Accreditation Logo 


Specification for Reproduction and use of the EAC Laboratory Accreditation Logo 


To maintain a high level of quality and consistency in a variety of applications, the following 
guidelines have been developed for VSTL use of the EAC laboratory accreditation logo. 


Use and Display 


The EAC VSTL logo contains the following elements: 

The “U.S. Election Assistance Commission” and “VSTL” logotype separated by a divider rule. 
The EAC will provide all accredited VSTLs with high resolution digital files for use on 
approved written or electronic documents. 


The logo may only be used by EAC accredited VSTLs and must not misrepresent the specific 
standards or guidelines to which the VSTL has been accredited. The EAC VSTL logo may be 
displayed on all reports and work documents that contain exclusive results from testing 
activities that have been carried out within the labs’ EAC scope of accreditation. Accredited 
laboratories may also incorporate the logo in publicity and/or advertising materials, including 
brochures and organization publications, technical literature, business reports, Web sites and 
quotations or proposals for work. 


Only the approved version of the VSTL logo may be used. When using the logo: 


e Do not print the logo in black over a dark background. 

e Do not change any colors of the logo. 

e Do not configure the elements of the logo in a different format. 
e Do not crop or remove any part of the logo. 

e Do not distort the logo. 

e Do not tilt the logo in any direction. 

e Do not add shadows, effects or other elements to the logo. 

e Do not change the typeface/font used in the logo. 


Minimum Size 


The full VSTL logo must remain readable in all uses and should not be reduced to a size smaller 
than 2.5 inch x 1 inch. 


Minimum Clear Space 
The clear space surrounding the VSTL logo is an integral part of the logo design. An area of 


clear space must be maintained around the logo to prevent it from being in conflict with other 
design elements on the page. The clear space should measure at least X on all sides, where X 


equals 12 the height of the upper-case letters “VSTL” in the logo. Do not place any other logo, 
logotype, trademark, text, or other graphic element in the minimum clear space area. 


One Color Printing 


A black version of the logo may be printed on white or light color background paper. In these 
instances, the logo should appear in 100% black. 


Color Printing 


Whenever possible, the full color version of the logo should be used. The appropriate colors are 
provided below for 4 color process printing or RGB for electronic use. 


Blue 
CMYK = 98/78/0/29 
RGB = 0/51/153 


HSL = 156/255/77 


Red 
CMYK = 5/96/98/5 
RGB = 204/51/0 


HSL = 10/255/102 


Embossing on “VSTL” = CMYK 97/92/0/65 
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U.S. Election Assistance Commission 


